One of my visitors was concerned that her website displayed a listing of all the files contained in
a particular directory (folder). (If you don't know what I mean, take a look at
this directory on Mozilla's server, where
the listing is deliberately allowed, so that advanced users can quickly get specific versions of Firefox
that are otherwise not easily obtained through the main website's user interface.) She had
read my article on
How
to Prevent a Directory Listing of Your Website with .htaccess but wanted to know if there was
a solution that did not involve modifying the .htaccess file.
Although my visitor did not disclose her reason for wanting a non-htaccess solution, from experience with others who have asked this question, my guess is that it is probably one of the following reasons:
Some people find the .htaccess solution intimidating. "What is this unpronounceable .htaccess
thing? Why does the name begin with a dot? What on earth is a plain text editor? Can I just use Microsoft Powerpoint
instead?"
For others, their website is hosted on a machine that is not running the Apache web server. Although Apache servers
probably constitute the majority on the Internet, there are still many systems running other types
of web server software.
If a site is hosted on the latter, the webmaster won't be able to configure it via a .htaccess file.
Even if a website is hosted on an Apache server, the web host may not have enabled .htaccess overrides. That is, they
may not have given individual webmasters the ability to override the default behaviour of a web server with a
.htaccess file. This is more likely if the site is on some sort of free web host.
Commercial web hosts
typically let you to use a .htaccess file to configure your website.
In reality, the alternatives to using .htaccess are just as effective, and if you are a non-technical person,
they are arguably easier to do. Here are the most obvious two that I can think of.
Many web hosts provide a way to disable the default listing of a folder on your website. Often this involves logging into your website's control panel on their system, and clicking a checkbox somewhere. (Your web host may call the "control panel" by a different name. Basically, it's just a place on their system where you can log in to configure different aspects of your website.)
For example, on my current web host, I have to log into my site's control panel, select "Settings", and click the box that says "Do Not Show Directory Indexes".
By default, if a file named index.html exists in a particular directory, modern web servers
will display its contents instead of showing a directory listing.
You can take advantage of this by placing a empty index.html
in the directory which currently shows you a list of files. The web server will dutifully deliver this blank file
to your visitors should they visit the directory.
For those who are not sure how to create an empty file, just start up the program that you normally use to
create a web page. (Alternatively, you can use any
plain text editor,
like Notepad for Windows or TextEdit for Mac.) Then open a new blank page.
On many web editors, this is typically done by clicking
"File" from the menu bar, followed by "New" or "New page" or something to that effect. Instead of doing
the usual thing of writing something, immediately save the file as "index.html" (without the
quotation marks). If you are worried because your web editor added some placeholder text to the page,
either delete it or ignore it. You don't really care about this page, since its sole purpose is to prevent
the web server from generating a directory listing. Visitors who see it are those who have deliberately gone
to that directory themselves, since you are not going to link to it. As such, even if the page says
"Insert content here", so what? The visitors are not supposed to be there in the first place. Let them admire
your placeholder text.
Important: the name of the file should be exactly "index.html", with no capital
(uppercase) letters, spaces or anything like that. For example, a name like "Index.html" is wrong, since it
starts with a capital letter. (It's easy to overlook if you normally use Windows, which by default ignores the
capitalization of filenames, so make sure you look carefully at the name you are typing.)
If you have more than one directory where you want to suppress a directory listing, you will have to create
an empty "index.html" for every one of them.
If a directory already has an existing "index.html" page in it, do NOT overwrite that file with your blank page, or you may be overwriting one of your real web pages.
After uploading the "index.html" file, test by going to the directory with your browser. If you still see
a directory listing, check that the filename is correct. If it is, your site may be on an old version
of the IIS web server. In such a case, try using an empty "default.htm" file instead.
There are some minor disadvantages of using these solutions instead of a .htaccess file.
If you create a .htaccess file to disable the directory listing, if/when you
change hosts, your
.htaccess file goes with you, since you will probably just move every file on your site
to your new host. As a result, the directory listing setting automatically follows your website
everywhere, without additional work.
If you use the control panel method, you will have to remember to look for this setting on your new web host and enable it as well.
The empty index.html file must be put into every directory for which you want the listing suppressed.
For example, webmasters typically place their pictures in a separate folder, apart from the web pages displaying them.
If you have created a hierarchy of such image folders, possibly because you have a lot of pictures, and
you don't want the server to display a directory listing of any one of them, you will need to make sure
that all these directories have their own index.html file.
In contrast, a .htaccess file containing the appropriate Options -Indexes directive
need only to be placed in the top level web directory, and the setting will percolate to every subdirectory
below it.
None of these disdvantages are crippling, so use whichever method you prefer. In general, between the two alternatives,
I think the index.html method is marginally better, since it is more portable. That is, it does not rely
on your web host having the required feature in their control panel, and if you need to, you can move your site to any web host
without having to keep track of yet another thing to update.
Copyright © 2019 Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as:
How to Prevent a Directory Listing of Your Website Without Using .htaccess
